Reasons to set up domain groups
When you install a SQL Server 2005 failover cluster, SQL Server 2005 requires domain accounts to start the clustered services. The domain accounts must be added to a domain group.
When you perform a stand-alone installation of SQL Server 2005, SQL Server Setup creates local user groups and then adds the service accounts that you specify to these groups. The Setup program grants permissions for files and folders to these local user groups . Although the Setup program can create local user groups, the local user groups are not visible to another computer in the failover cluster. When the current computer fails over to another computer, permissions that you grant to the local user groups on the current computer is not visible to another computer. Therefore, the Setup program requires that you provide a domain group that is accessible to all computers in the failover cluster. Then you must add the service account to the domain group when you install a SQL Server 2005 cluster. The Domain Groups for Clustered Services
page of the SQL Server Installation Wizard will prompt you to enter the domain name and the group name for each clustered service that you are installing. The Setup program will not create local domain groups in the failover cluster. The Setup program only uses the domain group that you specify.
If you want to change your service account on a SQL Server 2005 cluster, make sure that your new service account is in the related domain group.
Best practices that you can use to set up domain groups
Guidelines for setting up domain groups
For each clustered service on the instance of SQL Server that you want to install, you have to set the domain name and the group name by using the following format:
You must consider the following guidelines when you set the domain name and the group name:
- The domain name and the group name must already exist. Ask your domain administrator for the names of existing domain names and domain groups, or ask your domain administrator to create domain groups for your failover cluster.
- The account under which the Setup program is running must have permissions to add accounts to the domain groups. When the service account domain differs from the domain group domain, you must add the account to the domain group before you run the Setup program. You may have to ask a domain administrator to add the account.
- Each service should have a different domain group assigned to it. You can assign the same domain group to all services. However, the domain group will be less secure.
- The SQL Server domain groups should not be shared with any other application.
- Subgroups or child domain groups are not supported. The service account must be in the group that is selected in the SQL Server 2005 Setup program.
- The domain groups must be within the same domain as the computer accounts.
- The domain groups can be global domain groups or local domain groups.
- The following clustered services require one or more domain groups:
- SQL Server
- SQL Server Agent
- Microsoft Full-Text Engine for SQL Server (MSFTESQL)
- SQL Server Analysis Services
After you install a SQL Server 2005 failover cluster, you can change the service accounts.Note
SQL Server accounts are not removed from the groups if SQL Server 2005 is uninstalled or if the accounts are changed. A domain administrator must make sure that all unwanted accounts are removed after SQL Server 2005 is uninstalled.
How to change the service account for a clustered service
To change the service account for a clustered service of SQL Server 2005, follow these steps:
- Add the new service account to the domain group of the clustered service.
- On one of the cluster nodes, use SQL Server Configuration Manager to change the service account to the new account.
After you install a SQL Server 2005 failover cluster, you cannot directly change the domain groups.
How to change the domain group for a clustered service
To change the domain group for a clustered service, you can uninstall and then reinstall SQL Server 2005. If you do not want to uninstall SQL Server 2005 and you want to keep the system databases, use one of the following methods:
- Restore the SQL Server 2005 Setup media. This example assumes that the Setup program is located in the D:\Servers folder.
- Locate the D:\Servers folder, and then uninstall SQL Server 2005 by using a Command Prompt window. Set the SAVESYSDB parameter to 1. For example, run a command that resembles the following in a Command Prompt window:
Start /wait D:\Servers\setup.exe /qb VS=VirtualServerName INSTANCENAME=InstanceName REMOVE=ALL ADMINPASSWORD=Password SAVESYSDB=1Notes
- The /qb command-line switch enables basic Setup program dialog boxes to appear. Error messages also appear.
- The VS parameter specifies the name of the virtual server in the cluster environment. The name cannot exceed 15 characters, and it must follow the same naming rules as computer names.
- The SAVESYSDB parameter instructs the Setup program not to remove the system databases.
- After you uninstall SQL Server 2005, create new domain groups that you want to use for the new installation in the domain. If you want to change the domain for the new installation, change the domain. Then, create the new domain groups.
- At the command prompt, install a new SQL Server 2005 cluster by setting the USESYSDB parameter to the root path of the previous SQL Server installation. The root path is defined as the parent folder of the \Data folder. For example, the system databases may be installed to the following location:
D:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdfIn this example, the USESYSDB parameter would be set to the following value:
USESYSDB="D:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\"For example, run a command that resembles the following at the Command Prompt window to reinstall SQL Server 2005:
Start /wait D:\Servers\Setup.exe /qb VS=VirtualServerName INSTANCENAME=InstanceName USESYSDB="D:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\"Additionally, you can use the following command to specify domain groups when you use the /qn command-line switch to install SQL Server 2005:
Start /wait D:\Servers\Setup.exe /qn VS=VirtualServerName INSTANCENAME=InstanceName INSTALLVS=SQL_Engine ADDLOCAL=SQL_Engine ADDNODE=NodeName1,NodeName2 GROUP=DiskGroup IP=IP,NetworkNameADMINPASSWORD=StrongPassword SAPWD=StrongPassword INSTALLSQLDIR=InstallationPath INSTALLSQLDATADIR=ShareDrivePath SQLACCOUNT=Domain\UserName SQLPASSWORD=DomainUserPassword AGTACCOUNT=Domain\UserName AGTPASSWORD=DomainUserPassword SQLBROWSERACCOUNT=Domain\UserName SQLBROWSERPASSWORD=StrongPasswordSQLCLUSTERGROUP=YourDomain\YourDomainGroupNameAGTCLUSTERGROUP=YourDomain\YourDomainGroupName USESYSDB="D:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\"Note The /qn command-line switch suppresses all Setup program dialog boxes and error messages. If you use the /qn command-line switch, all Setup program messages that include error messages are written to the SQL Server Setup log files.
This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
How to back up and restore the registry in Windows
- Install SQL Server 2005 Service Pack 2 (SP2) or SP3.
- In Registry Editor, locate the following registry subkey:
Note MSSQL.X represents the corresponding value for the system. To determine the corresponding value for the system, examine the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.X\Setup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\SQL
- Delete the value of the following registry entries if you want to use new domain groups:Note In step 8, you specify the new domain groups for these groups in the command.
- Set the value of the Resume registry entry to 1.
- In Registry Editor, locate the following registry subkey:
Note MSSQL.Y represents the corresponding value for the system. To determine the corresponding value for the system, examine the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.Y\Setup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\OLAP
- Delete the value of the ASGroup registry entry if you want to use a new domain group.
Note In step 8, you specify the new domain group for the Analysis Services cluster group in the command.
- Repeat steps 1-6 on all cluster nodes.
- At a command prompt on the active node, run the following command:
start /wait D:\Servers\setup.exe /qb INSTANCENAME= InstanceName REINSTALL=ALL REINSTALLMODE=omus SAPWD= StrongPassword VS= VirtualServerName ADMINPASSWORD= StrongPassword IP= IP,NetworkName GROUP= DiskGroup SQLCLUSTERGROUP= YourDomain \ YourDomainGroupName ASCLUSTERGROUP= YourDomain \ YourDomainGroupName AGTCLUSTERGROUP= YourDomain \ YourDomainGroupName FTSCLUSTERGROUP= YourDomain \ YourDomainGroupNameNote After you run this command, there is no need to reapply the cumulative updates for the current SQL Server service pack (SP2 or SP3) because the keys that are modified are domain group-related and are not modified by cumulative updates.
For information about changing domain groups in SQL Server 2008 environments refer to the following Microsoft Knowledge Base article:
No mapping between account names and security IDs was done" error when adding a node to a SQL Server 2008 Failover Cluster
- If you try to install SQL Server 2005 on a Microsoft Windows 2000 Server-based computer, make sure that you create the domain group and add the service account user to the domain group before you run the Setup program.
- Installing SQL Server 2005 cluster on a domain controller is not supported.
- Running SQL Server 2005 cluster Setup in repair mode does not enable a user to change domain groups.
Solutions to problems when you set up a domain group
When you specify a domain group for the clustered services on the Domain Groups for Clustered Services
page of the Microsoft SQL Server 2005 Installation Wizard, you receive the following error message:
You do not have privileges to add accounts to the domain groups specified for this failover cluster. Ask your domain administrator for privileges to add new accounts to the domain groups, or log on using an account that does have permission.
The domain group cannot be validated for the service <ServiceName> Search.
This problem occurs if the following conditions are true:
- There are two domains from different forests. Suppose the names of the domains are DomainA and DomainB, respectively.
- There is a mutual trust relationship between these domains.
- You are a user that is created in DomainA.
- You are a member of the Administrators group in DomainB.
- You are not a member in the domain group in DomainB.
Note The domain group is the one that you specify for the clustered services on the Domain Groups for Clustered Services page.
- You install SQL Server 2005 on a cluster node in DomainB.
To work around this problem, follow these steps:
- On the cluster node where you installed SQL Server 2005, click Start, click Run, type dsa.msc, and then click OK.
- In the Active Directory Users and Computers window, add the user account that you use to log on to Microsoft Windows to the domain group.
Note The domain group that is mentioned in this step is the one that you want to specify for the clustered services on the Domain Groups for Clustered Services page.
- Start the installation of SQL Server 2005.
For more information about how to install SQL Server 2005 at a command prompt, visit the following Microsoft Developer Network (MSDN) Web site:
For more information about how to installing SQL Server Reporting Services at a command prompt, visit the following MSDN Web site:
For more information about specific parameters that you can use when you install SQL Server at a command prompt, visit the following MSDN Web site:
For more information about user groups for different SQL Server 2005 services, visit the following MSDN Web site:
For more information, see the following topics in SQL Server 2005 Books Online:
- How to create a new SQL Server 2005 failover cluster (Setup)
- Domain groups for clustered services